Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

XTinyLoader

XTinyLoader is a malware loader observed in StealC-linked activity. Proofpoint and IBM X-Force reported that StealC infections delivered XTinyLoader among other secondary payloads, indicating XTinyLoader is used as part of follow-on malware delivery chains rather than as the initial access malware in the cited reporting. In a notable observed infection chain, StealC downloaded XTinyLoader, which then downloaded a LockBit Black (LockBit 3.0) ransomware payload. The provided content does not attribute XTinyLoader to a specific threat actor or malware-as-a-service operation beyond its use in StealC-associated campaigns, and it does not provide platform-specific technical details, persistence mechanisms, or indicators of compromise for XTinyLoader itself.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1204User ExecutionEvidence1

At this point, the StealC malware client will attempt to download and execute one of the payloads from the URLs provided by the server.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence3

It is worth noting that StealC is not limited to simple password theft. The malware can also act as a loader, allowing operators to deliver other malicious files to infected machines.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence2

One notable example is a StealC client downloading XTinyLoader, which, in turn, downloaded a LockBit Black ransomware payload.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
hackreadNews
Jun 24, 2026
Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks

XTinyLoader is listed as a malware family delivered in StealC-linked activity.

Read more
help net securityNews
Jun 24, 2026
Law enforcement hits StealC and Amadey malware networks - Help Net Security

XTinyLoader is a loader malware observed being downloaded by StealC and then used to deliver a LockBit Black ransomware payload.

Read more
ibmNews
Jun 24, 2026
StealC you later: Proofpoint and IBM X-Force support Operation Endgame disruptions | IBM

A loader observed as an intermediate payload in StealC infections, including delivery of LockBit Black ransomware.

Read more
proofpointNews
Jun 23, 2026
StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions | Proofpoint US

XTinyLoader is a loader observed in StealC delivery chains, used to download subsequent payloads including ransomware.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.